How to Get AD Groups for Users

Native Solution vs. Netwrix Auditor for Active Directory
{{ firstError }}
We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for Active Directory
Native Solution
Netwrix Auditor for Active Directory
Steps
  • Open the PowerShell ISE on your domain controller and run the following PowerShell script:

import-module activedirectory 
$Path = "C:\Temp\UserGroups.csv" 
$username = "*" 
$ADuser = Get-ADUser -filter {(Name -like $username -or SamAccountName -like $username) -and (Enabled -eq $true)}  

$out = foreach($user in $ADuser)    { 
   $groups = Get-ADPrincipalGroupMembership $user 
   foreach ($group in $groups){ 
   $rec = New-Object PSObject 
       foreach($GP in $group.psobject.Properties) { 
               foreach($UP in $user.psobject.Properties) { 
               $rec | Add-Member -Type NoteProperty -Name ("U_" + $UP.Name) -Value $UP.value -Force 
               $rec | Add-Member -Type NoteProperty -Name ("G_" + $GP.Name) -Value $GP.value -Force 
               } 
       } 
       $rec|select U_Name, U_DistinguishedName,G_name,G_GroupCategory, G_GroupScope, G_distinguishedName 
   } 

$out |Export-Csv $Path -NoTypeInformation

To list group names for single user identity only, replace "*" with the user account name.

For a summary report with less information, you can omit fields from the $rec|select statement.

You can leave only U_Name (or U_SamAccountName) and G_name (or G_SamAccountName) to get only User Name + Group Name summary.

  • Review the .csv report:
How to get AD groups for users with Powershell
  • Run Netwrix Auditor. Navigate to “Reports” -> Click “Predefined” -> Expand the “Active Directory” section -> Go to “Active Directory – State-in-Time” -> Select “Group Members” -> Click “View”.
  • Specify “Enabled” in the “Status” field and type “user” in the “Member Type” field -> Click “View Report”.
  • Review your report:
How to get AD groups for users with Powershell - Netwrix Auditor
  • To export the report to a file, click the "Floppy" button and choose the desired format.
Learn more about Netwrix Auditor for Active Directory

Get Reports on AD Group Membership

Best practices recommend using AD groups to assign access rights to users. However, over time, your AD group structure can get quite complex, which makes it harder to know who has access to what. To review access rights or troubleshoot permissions issues manually, domain admins have to see which groups users are members of and then review the permissions granted to the groups listed. 

An easier way to get user group membership information is to use PowerShell. Provided the structure of your AD is straightforward, you can get group and user paths by using the Get-ADPrincipalGroupMembershipcmdlet from the Active Directory PowerShell module. (To list computer membership, you have to use different commands.) However, if your organization has an extensive list of group names, using PowerShell isn’t a viable option for anything more than occasional ad-hoc analysis. 

Netwrix Auditor dramatically simplifies review and troubleshooting of group membership. You can get AD groups for users just by running a predefined report. There’s no need to use PowerShell, so you don’t have to spend time writing and maintaining scripts. Enterprise admins can find the required information promptly and easily export it to CSV, XLSX or even PDF, facilitating regular review and speeding issue resolution.

Related How-tos
How to Detect User Account Changes in Active Directory How to Detect Changes to Organizational Units and Groups in Active Directory How to Detect Who Added a User to Domain Admins Group How to Export Members of a Particular AD Group How to Get AD User Group Membership with or without PowerShell How to List AD Group Members using PowerShell or Netwrix Auditor